Security

F5 and Confluence Attack Chain Hits Hybrid Identity

3 min read

Summary

Microsoft detailed a multi-stage intrusion where attackers compromised an internet-facing F5 BIG-IP appliance, pivoted to an internal Linux host, then exploited Confluence to steal credentials and target Active Directory. The incident highlights how edge devices, Linux systems, and SaaS apps can become linked attack paths in hybrid environments, making broader monitoring and patching essential.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published a new incident analysis showing how a compromise of an internet-facing edge appliance can quickly turn into a much broader enterprise breach. For security teams, the key lesson is clear: edge devices, Linux servers, internal web apps, and identity systems must all be treated as part of the same attack surface.

What happened

The attack chain began with an F5 BIG-IP Virtual Edition appliance hosted in Azure. Microsoft said the device was running an end-of-life version, making it a likely entry point through exploitation of a known vulnerability.

The threat actor then:

  • Used the F5 appliance to gain SSH access to an internal Linux server
  • Performed network discovery and reconnaissance with tools including Nmap and gowitness
  • Downloaded a custom Linux reconnaissance tool detected as HackTool:Linux/MalPack.B
  • Identified an unpatched Atlassian Confluence server and used it for remote code execution
  • Extracted credentials from Confluence configuration files
  • Attempted NTLM and Kerberos relay-style attacks against Active Directory, including activity tied to CVE-2025-33073

Microsoft noted that the attacker maintained privileged access without deploying formal persistence, relying instead on trusted access and over-privileged accounts.

Why this matters for defenders

This incident shows how modern attacks increasingly cross traditional boundaries:

  • Edge appliances are becoming high-value initial access points
  • Linux systems are often less monitored than Windows endpoints
  • Internal apps like Confluence can expose sensitive service credentials
  • Hybrid identity trust relationships can enable lateral movement that bypasses perimeter-focused defenses

Even when a vulnerable application is not internet-facing, attackers can still reach it after compromising another trusted system inside the environment.

Impact on IT administrators

Security and infrastructure teams should review whether they have:

  • Unsupported or end-of-life edge appliances still in production
  • Over-privileged Linux accounts with broad sudo access
  • Unpatched Confluence or other internal web applications
  • Monitoring coverage across network devices, Linux hosts, SaaS apps, and identity events

Organizations using Azure-hosted network appliances should also validate image versions used in ARM templates or Terraform deployments.

  • Patch or replace EOL F5 BIG-IP instances immediately
  • Audit and reduce privileged SSH access on Linux systems
  • Patch Confluence and review stored application credentials
  • Monitor for unusual cross-system authentication activity involving service accounts
  • Use Microsoft Defender XDR detections, advanced hunting, and attack path analysis to identify related exposure

The broader takeaway is that defenders should stop viewing edge, endpoint, SaaS, and identity security as separate problems. Attackers are already treating them as one connected path.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

F5 BIG-IPConfluenceMicrosoft Defender XDRLinux securityActive Directory

Related Posts

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.

Security

GigaWiper Malware: Microsoft Details Destructive Backdoor

Microsoft Threat Intelligence has published a deep analysis of GigaWiper, a Golang-based backdoor that combines command-and-control features with multiple destructive payloads, including disk wiping, fake ransomware, and system sabotage. The research matters because it shows attackers consolidating several malware families into a single modular implant, increasing flexibility while reducing deployment footprint.

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.